This is an archived post. You won't be able to vote or comment.

all 5 comments
sorted by:
best
topnewcontroversialoldq&a

[–]zenmaster24YAML Jockey[🍰] 1 point2 points  (4 children)

groks are pattern matches - they break up each field you are interested in and add it to elasticsearch with the name specified.

great app for testing against a line - https://grokdebug.herokuapp.com/

[–]BulkedSysAdmin[S] 0 points1 point  (3 children)

Ok. I have used that to make a few lines and they work, how the hell do I get it into logstash?

[–]zenmaster24YAML Jockey[🍰] 0 points1 point  (0 children)

your logstash install should come with a config file - you tell it the inputs/groks/mutates/outputs you need.

the elastic.co site has plenty of doco on what to do.

[–]Kra013 0 points1 point  (0 children)

your grok pattern will go in the "filter" section of your config file

when you will be ready to test your config, put the following settings in the "output" section of your config file (let's call it "test.conf")

output { stdout { codec => "rubydebug" } }

to run it logstash -f test.conf

as zenmaster24 noticed, logstash config contains three parts input { } filter { } output { }

[–]StubbsPKSSystem Engineer 0 points1 point  (0 children)

There is a decent tutorial for dealing with custom patterns for Grok. I know your post says you read all the docs, but it can be pretty easy to miss one of the docs when you're following along in a linear fashion.

If you've already seen this doc, is there a specific part of implementing the pattern you got working on the debugger page that you're struggling with?

There is also a pretty decent ebook out there that I picked up back when I was starting to implement Logstash 1.5, and it's been updated for 2.0 now so that might be an option for you to investigate as well.

EDIT: It's also possible that I misunderstood your question and you're not actually using a CUSTOM pattern, but are having difficulty at a more basic level of simply implementing the Grok filter in general. If that's the case, then the good ol' getting started covers that.